Patch management is an essential practice in IT and systems maintenance. It’s most simply explained as the way that you correct errors and vulnerabilities, by using “patches”.
These are updates to operating systems, network equipment, software products, and applications, created to solve issues that are found after release. A good patch management process can keep your environment secure from cyber-attacks and help an IT environment run smoothly without downtime. It can ensure that you’re fully compliant with many regulatory requirements, and help software run at peak performance.
Your patch management approach needs to include keeping on top of all available patches, knowing what patches are right for what systems, documenting your patch schedule, and thoroughly testing systems after patching is complete.
Automating patch management can help to streamline and improve the accuracy of these tasks.
Software patches include adjustments to programming code. They cost money to produce and software houses don’t create them frivolously. Here are the main reasons that software producers create and distribute patches:
Security: Hackers explore operating systems and network security services constantly looking for ways to manipulate them to break in, install spyware, or steal data. A piece of software that seems to be secure today might become a security weakness when new knowledge arises. These newly discovered loopholes are called “exploits” and patches remove them.
System availability: By removing discovered errors, patches can prevent the system from crashing or hanging. You might not have run across the error that is being fixed but, if it’s there, it could damage your system uptime, so it is better to apply the patch.
Standards compliance: If you need to comply with an industry security standard, like PCI DSS or HIPAA, you need to implement a patch management strategy as a requirement of those standards.
System guarantees: Software providers will refuse to stand by any system guarantees for buyers who fail to keep up with the latest version of the software by applying all patches. In some instances, providers refuse access to support unless the software is fully patched. Having out-of-date software can also be an excuse used by your professional insurance provider not to pay out in the case of a disaster.
System enhancements: Some feature improvements are not issued as a full update but as a patch instead. This is particularly the case that improvements are meant to enhance the efficiency of a backend process. So, if you don’t apply patches, you are missing out on free upgrades.
In short, it is not a good idea to ignore patches.
Create patch management system policies by first thinking up a set of rules. These rules inform the patch management system of important operating parameters, such as when the system is available for a patch run.
Your patch management policies need to be coordinated with business practices and system priorities. They will be implemented in the patch management system as a series of profiles. Here are a few tips:
1. Create separate profiles per device type and operating system
The patches that you receive won’t apply to all of your devices because your software is closely tied to the operating system that runs. Therefore, you don’t need to patch all systems simultaneously. Creating separate profiles gives you flexibility.
2. Separate out systems that are critical
An example of this is an operating system or a service that needs an entry in the registry. Patches applied to these programs will require a system reboot. Other software packages won’t require that and should be put in a separate patch rollout group.
3. Create a system preparation policy
Set up a profile for creating a system restore point so that everything can be rolled back to its status before a patch rollout began if something goes wrong during the patch application process. Attach other admin policy actions to this profile. Schedule this profile to run first before any patch rollouts.
4. Create a regular window for patches
Identify a day of the week and an hour of the day each week when there is almost no user activity.
You don’t have to attend the rollout, but you need to be able to check system availability after it has completed and before the user community clocks in for work.
5. Leave gaps in the rollout schedule
If you are likely to apply patches in several policy groups during the same time frame, leave a gap of about an hour between the launch times of each. This gives time for each policy group to have completed its updates before the next begins. Run the lower-priority patch group that doesn’t require a reboot first, unless patch release notes require otherwise.
6. Ensure that all devices are on
You can check in the patch management system to see whether there are any patches that need to be applied in the run-up to your weekly patch rollout time slot. Ensure that all of the devices that will be touched by that policy group activation are on and connected to the network before you leave the office for the evening.
7. Be the first in the office after the rollout
Don’t set a patch rollout window for a day when you can’t be sure that you will be the first to access the system the next day. If an appointment means you probably won’t be able to check the system before the users log on after an update, suspend the rollout.
For more detailed information about patch management best practices, please visit our support page on the subject.
Atera’s Patch Management Software gives you full control over all your patches from one place!
Save time by automating patches for OS, software, and hardware and use our powerful and robust instant reporting capabilities to stay on top of every agent, ensuring airtight security and control.
Setting and automating software patch management can be completely automated, thanks to our integrations with Chocolatey for Windows and Homebrew for Mac devices. Both options come with a comprehensive list of patches for common software products, from Chrome and Zoom, to Skype, Dropbox, and everything in between.
Add these to your IT automation profiles, create software bundles to install or update at scale for each customer, and even exclude certain software patches as necessary.
RMM Software, PSA, and Remote Access that will change the way you run your MSP Business